Compliance Control of Android devices

You can control Android devices for compliance with corporate security requirements. Corporate security requirements regulate how the user can work with the device. For example, the real-time protection must be enabled on the device, the anti-malware databases must be up-to-date, and the device password must be sufficiently strong. Compliance Control is based on a list of rules. A compliance rule includes the following components:

Device check criterion (for example, absence of blocked apps on the device).
Time period allocated for the user to fix the non-compliance (for example, 24 hours).
Responses performed on the device if the user does not correct the non-compliance issue within the set time period (for example, lock the device).
If the device is in battery saver mode, Kaspersky Endpoint Security for Android may perform this task later than specified.

To create a rule for checking devices for compliance with a policy:

In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
In the policy properties window, select Application settings.
Select Android and go to the Security controls section.
On the Compliance Control card, click Settings.
The Compliance Control window opens.
Enable the settings using the Compliance Control toggle switch.
In the When non-compliance is detected section:
- Select the Notify user check box to inform the user that the device does not comply with the policy.
  If the check box is cleared, the user is not notified of the non-compliance issue, and the response is performed on the device as soon as the time allocated for fixing the non-compliance expires.
- Select the Notify the administrator through the "Events" section check box to inform the administrator that the device does not comply with the policy.
Click Add.
The Add rule wizard starts. This wizard will help you create a set of rules for checking the device compliance with the policy. Navigate through the wizard using the Next and Back buttons.

Step 1. Criterion for non-compliance

Click Add criterion to specify the non-compliance criterion to trigger the rule.

The following criteria are available:

Real-time protection is disabled
Kaspersky Endpoint Security for Android is not installed or running on the device.
Anti-malware databases on device are out of date
Anti-malware databases were last updated 3 or more days ago.
Forbidden apps are installed
The list of apps on the device contains apps that are set as forbidden in the App Control settings of the policy.
Apps from forbidden categories are installed
The list of apps on the device contains apps from the categories that are set as forbidden in the App Control settings of the policy.
Not all required apps are installed
The list of apps on the device does not contain an app that is set as required in the App Control settings of the policy.
Operating system version is outdated
The Android version on the device is outside the allowed range.

For this criterion, specify the minimum and maximum allowed versions of Android in the Minimum version and Maximum version fields. If the maximum allowed version is set to Any, future Android versions supported by Kaspersky Endpoint Security for Android will also be allowed.
Device has not been synchronized for a long time
The last synchronization of the device with the Administration Server is checked.

For this criterion, specify the maximum period after the last synchronization in the Period without synchronization field.
Device has been rooted
The device is hacked (root access is gained on the device).
Unlock password is not compliant with security settings specified in policy
The unlock password on the device is not compliant with the settings defined in the Screen unlock settings card.
Installed version of Kaspersky Endpoint Security for Android is outdated
Kaspersky Endpoint Security for Android installed on the device is obsolete.

This criterion applies only to an app installed using a Kaspersky Endpoint Security for Android installation package and if the minimum allowed version of Kaspersky Endpoint Security for Android is specified in the App update settings of the policy.
SIM card usage is not compliant with security requirements
The device SIM card has been replaced or removed compared to the previous check state, or an additional SIM card has been inserted.

For this criterion, select the specific condition that must be monitored:
- The SIM card must not be replaced or removed
- The SIM card must not be replaced or removed; additional SIM cards must not be inserted
Device location
The device is outside the specified geofence areas.

Specifying the geofence area will result in increased device power consumption.

For this criterion, select the specific condition that must be monitored:
- The device is within a specified geofence (the geofence areas are combined using the OR logical operator).
- The device is outside specified geofences (the geofence areas are combined using the AND logical operator).
To add a geofence area:
1. Click Add geofences.
  The Add geofences window opens.
2. Specify the Geofence name.
3. Specify the geofence perimeter by entering a latitude and a longitude for each point.
  For each geofence area, you can manually enter from 3 to 100 coordinate pairs (latitude, longitude) as decimal numbers.
  
  A geofence perimeter must not contain intersecting lines.
  
  If needed, you can specify more than 3 points by clicking the Add point button.
  
  To delete a point, click the X button.
  
  You can view the specified geofence area in the Yandex.Maps program by clicking View on map.
4. Click OK to add the specified geofences.
Kaspersky Endpoint Security for Android has no access to precise or background location
Kaspersky Endpoint Security for Android is not allowed to access the precise location of the device or use the device location in the background.

Step 2. Responses for non-compliance with security requirements

Add the responses to be performed on the device if the specified non-compliance criterion is detected.

Choose one of the following options:

Add instant response. The response is applied instantly after the non-compliance criterion is detected.
Add deferred response. The response is applied after a deferral period that you can specify in the Deferral period field.
The following responses are available:
- Block all apps except system apps
  All apps on the device, except system apps, are blocked from starting.
  
  As soon as the non-compliance criterion selected for the rule is no longer detected on the device, the apps are automatically unblocked.
- Lock device
  The mobile device is locked. To obtain access to data, you must unlock the device by entering the one-time passcode or using the Unlock device command.
- Wipe corporate data
  The corporate data is wiped from the device. The list of wiped data depends on the mode in which the device operates:
  - On a personal device, Knox profile and mail certificate are wiped.
  - On a corporate device, Knox profile and the certificates installed by Kaspersky Endpoint Security for Android (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
  - Additionally, on a device with corporate container, the container (its content, configurations, and restrictions) and the certificates installed in it (mail, VPN, and SCEP profile certificates, except the mobile certificates) are wiped.
- Reset to factory settings
  All data is wiped from the device and settings are rolled back to their factory values. After this response is performed, the device will no longer be managed. To connect the device to Kaspersky Security Center, you must reinstall Kaspersky Endpoint Security for Android.
  
  On devices running Android 14 or later, this response is only applicable if the device is operating in corporate device mode.
- Lock corporate container
  Corporate container on the device is locked. To obtain access to corporate container, you must unlock it.
  
  The response is only applicable to devices running Android 6 or later.
  
  After the corporate container on a device is locked, the history of the container passwords is cleared. It means that the user can specify one of the recent passwords, regardless of the corporate container password settings.
- Wipe data of all apps
  On a corporate device, data of all apps on the device is wiped.
  
  On a device with corporate container, data of all apps in the container is wiped.
  
  As a result, apps are rolled back to their default state.
  
  The response is only applicable to devices running Android 9 or later in corporate device or device with corporate container operating modes.
- Wipe data of a specified app
  For this response, you need to specify the package name for the app whose data is to be wiped. How to get the package name of an app
  To get the name of an app package:
  1. Open Google Play.
  2. Find the app and open its page.
  The app's URL ends with its package name (for example, https://play.google.com/store/apps/details?id=com.android.chrome).
  
  To get the name of an app package that has been added to Kaspersky Security Center:
  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Apps.
  2. Click Android apps.
    In the list of apps that opens, app identifiers are displayed in the Package name column.
  As a result, the app is rolled back to its default state.
  
  The response is only applicable to devices running Android 9 or later in corporate device or device with corporate container operating modes.
- Prohibit safe boot
  The user is not allowed to boot the device in safe mode.
  
  The response is only applicable to corporate devices running Android 6 or later.
- Prohibit use of camera
  The user is not allowed to use any cameras on the device.
- Prohibit use of Bluetooth
  The user is not allowed to turn on and configure Bluetooth settings.
  
  The response is only applicable to personal devices running Android 12 or earlier, corporate devices, or devices with corporate container.
- Prohibit use of Wi-Fi
  The user is not allowed to use and configure Wi-Fi settings.
  
  The response is only applicable to personal devices running Android 9 or earlier or corporate devices.
- Prohibit USB debugging features
  The user is not allowed to use USB debugging features and developer mode on the device.
  
  The response is only applicable to corporate devices or devices with corporate container.
- Prohibit airplane mode
  The user is not allowed to enable airplane mode on the device.
  
  The response is only applicable to corporate devices running Android 9 or later.

Click Add rule to finish the Add rule wizard. The new rule and its details appear in the list of the Compliance Control rules. To temporarily disable a rule, use the toggle switch next to the selected rule.

To enable the automatic wiping of data from devices associated with disabled accounts of Active Directory users, select the Wipe data from devices with disabled Active Directory user accounts check box and select one of the following actions:

Wipe corporate data
Reset to factory settings
On devices running Android 14 or later, this action is only applicable if the device is operating in corporate device mode.

These settings require integration with Microsoft Active Directory.

If you use policy profiles, be sure to enable the wipe data option for the entire policy. When a user account is disabled in Active Directory, it is first removed from the Active Directory user group. As a result, the policy profile is no longer applied to this user account, so the data is not wiped from the device.

Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Page top